Final Project - Cryptographic Techniques

Introduction
Relevant Laws & Regulations
The HIPAA Privacy Rule establishes national standards to protect individuals medical
records and other personal health information and applies to health plans, health care
clearinghouses, and those health care providers that conduct certain health care
transactions electronically. The Rule requires appropriate safeguards to protect the
privacy of personal health information, and sets limits and conditions on the uses and
disclosures that may be made of such information without patient authorization. The Rule
also gives patients rights over their health information, including rights to examine and
obtain a copy of their health records, and to request corrections (U.S. Department of
Health and Human Services, 2015).
The Health Information Technology for Economic and Clinical Health (HITECH) Act of
2009 [PDF - 266 KB] provides HHS with the authority to establish programs to improve
health care quality, safety, and efficiency through the promotion of health IT, including
electronic health records and private and secure electronic health information exchange.
Learn more about select portions of the HITECH Act that relate to ONCs work (Health IT,
2016).
The FOI/Privacy Acts Division is the focal point for HHS Privacy Act administration,
including the HHS System of Records Notices (SORN). The Privacy Act of 1974, as
amended at 5 U.S.C. 552a:
Protects records about individuals retrieved by personal identifiers such as
a name, social security number, or other identifying number or symbol. An
individual has rights under the Privacy Act to seek access to and request
correction (if applicable) or an accounting of disclosures of any such
records maintained about him or her.
Prohibits disclosure of such records without the prior, written consent of
the individual(s) to whom the records pertain, unless one of the twelve
disclosure exceptions enumerated in subsection (b) of the Act applies.
Requires such records to be described in System of Records Notices
(SORNs) published in the Federal Register and posted to the Internet.
Binds only federal agencies and covers only records under the control of
federal agencies (and, by contract, also applies to contractor personnel and
systems used by a federal agency to maintain the records).
HHS Privacy Act regulations (45 CFR Part 5b).
FDA Privacy Act regulations (21 CFR Part 21) (U.S. Department of
Health and Human Services, 2017).
Polices
It will also be company policy to keep operating systems updated: Whether you run on
Microsoft Windows or Apple OS X, the operating system needs to be set for automatic updates.
Turning off computers at night or rebooting promotes the installation of updates (as well as clean
out system clutter). System updates are especially important for server operating systems where
all patches and updates need be reviewed and updated on a recurring schedule. Employees need
to be reminded to have their smartphones and tablets also set to update iOS, Android, or
Microsoft Windows Phone operating systems automatically. Another update that will be required
on a regular basis will also be antivirus updates: Firms need to ensure that antimalware programs
are set to check for updates frequently and scan the device on a set schedule in an automated
fashion along with any media that is inserted (USB thumb and external hard drives) into a
workstation. In larger firms, workstations should be configured to report the status of the
antivirus updates to a centralized server, which can push out updates automatically when
required (Kepczyk, 2015).
Federal agencies are responsible for including policies and procedures that ensure
compliance with minimally acceptable system configuration requirements, as determined by the
agency within their information security program. Managing system configurations is also a
minimum-security requirement identified in FIPS 200, and NIST SP 800-537 defines security
controls that support this requirement. Configuration management has been applied to a broad
range of products and systems in subject areas such as automobiles, pharmaceuticals, and
information systems. Some basic terms associated with the configuration management discipline
are briefly explained below.
Configuration Management (CM) comprises a collection of activities focused on
establishing and maintaining the integrity of products and systems, through control of the
processes for initializing, changing, and monitoring the configurations of those products
and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software,
firmware, documentation, or a combination thereof) that is a discrete target of
configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system,
that has been formally reviewed and agreed on at a given point in time, and which can be
changed only through change control procedures. The baseline configuration is used as a
basis for future builds, releases, and/or changes.
A Configuration Management Plan (CM Plan) is a comprehensive description of the
roles, responsibilities, policies, and procedures that apply when managing the
configuration of products and systems. The basic parts of a CM Plan include:
Configuration Control Board (CCB) Establishment of and charter for a group of
qualified people with responsibility for the process of controlling and approving
changes throughout the development and operational lifecycle of products and
systems; may also be referred to as a change control board;
Configuration Item Identification methodology for selecting and naming
configuration items that need to be placed under CM;
Configuration Change Control process for managing updates to the baseline
configurations for the configuration items; and
Configuration Monitoring process for assessing or testing the level of
compliance with the established baseline configuration and mechanisms for
reporting on the configuration status of items placed under CM (Johnson,
Dempsey, Ross, & Gup, 2011).
Threat Environment
The threat as a company that we are concerned with is people gaining access to our
systems via provider or patient portals. Outsider attacks where people try to gain access to the
networks via ports not secured properly or falsified credentials will also be a concern to the
company. Employees who do not possess the proper training can also be considered a threat.
Lack of proper training creates a threat because it means employees may not secure data properly
 or use proper encryption when sending information. Training such as Email Awareness Training:
Personnel need to be reminded to be skeptical of emails they did not expect and are out of
character. Staff need to be reminded how to hover over an email link before clicking or to look
at email properties to see if the senders email address matches. They also need to be regularly
reminded to not click on or open suspicious attachments, instead sending them to the IT team to
review if there is any concern. If there is any questions about a link in an email, it is better to go
to the website directly by typing the address into a browser than to risk clicking on the link
(Kepczyk, 2015). The biggest take away in the training aspect is that employees need to be
trained. Educate Employees: Security education is as important as professional accounting CPE
and should be required annually. In addition to reviewing the firm policies, employees should be
educated on current cyber security attack methods such as phishing and pharming, and threats
including ransomware and social engineering used by hackers to get access to a users computer
(i.e. NEVER provide your login, password or confidential information over the phone and to
people you dont know) (Kepczyk, 2015).
Cryptographic Mechanisms and Enforcing Policies in the Presence of Threats
The many different Cryptographic mechanisms are meant to work together in order to
enforce policies laid out by the company. These policies are in place to help protect against
threats both inside and outside the company.

Figure 1.

Table 1
Components
#1 Customers: Hash-based Message Authentication Code (HMAC) is
a message authentication code that uses a cryptographic
key in conjunction with a hash function. HMAC provides
the server and the client each with a private key that is
known only to that specific server and that specific
client. The client creates a unique HMAC, or hash, per
request to the server by hashing the request data with the
private keys and sending it as part of a request. What
makes HMAC more secure than Message Authentication
Code (MAC) is that the key and the message are hashed
in separate steps. HMAC(key, msg) = H(mod1(key) ||
H(mod2(key) || msg)) This ensures the process is not
susceptible to extension attacks that add to the message
and can cause elements of the key to be leaked as
successive MACs are created. Once the server receives
the request and regenerates its own unique HMAC, it
compares the two HMACs. If they're equal, the client is
trusted and the request is executed. This process is often
called a secret handshake (Rouse, 2010).
Strong Password Policy (Administrative Controls):
IT policies should mandate complex passwords, meaning
at least eight characters with a combination of upper and
lower case letters, numbers and special characters.
Network settings should require personnel change their
passwords four times per year and personnel should not
be able to utilize any of the previous ten passwords. Best
practices point to using different passwords for each
login and not allowing anyone to know your password
(reset if necessary) (Kepczyk, 2015).
SSH public-key authentication relies on asymmetric
cryptographic algorithms that generate a pair of separate
keys (i.e., a key pair), one "private" and the other
"public". You keep the private key a secret and store it on
the computer you use to connect to the remote system.
Conceivably, you can share the public key with anyone
without compromising the private key; you store it on the
remote system in a .ssh/authorized_keys directory
(Indiana University, 2016). (Figure 2)
The PKI environment is made up of five components:

1. Certification Authority (CA) -- serves as the root

of trust that authenticates the identity of
individuals, computers and other entities in the
network.
2. Registration Authority (RA) -- is certified by a
root CA to issue certificates for uses permitted by
the CA. In a Microsoft PKI environment, the RA
is normally called a subordinate CA.
3. Certificate Database -- saves certificate requests
issued and revoked certificates from the RA or
 CA.
4. Certificate Store -- saves issued certificates and
pending or rejected certificate requests from the
local computer.
5. Key Archival Server -- saves encrypted private
keys in a certificate database for disaster recovery
purposes in case the Certificate Database is lost
(Lawton, 2015).

#2 Providers: Strong Password Policy (Administrative Controls)

(Kepczyk, 2015).
Symmetric-key Authentication - In traditional
symmetric key authentication, the user shares a unique,
secret key (usually embedded in a hard token) with an
authentication server. The user is authenticated by
sending to the authentication server his/her username
together with a randomly generated message (the
challenge) encrypted by the secret key. If the server can
match the received encrypted message (the response)
using its share secret key, the user is authenticated. A
slight variation of the symmetric-key implementation is
the use of OTP tokens. Such OTP tokens use either a
clock or counter, sometimes both, to generate the OTP
with a symmetric key contained in the device. There are
others that use a challenge-response system in which the
token combines a random challenge from the
authentication server with the shared secret key to
generate the response, which is essentially the OTP.
Since OTP will only be used once, it can protect the user
against password guessing, eavesdropping and replay
types of attacks. When implemented together with the
password authentication, this method also provides a
possible solution for two-factor authentication systems
(InfoSec, 2017).
OTPs (one-time passwords) are based on the concept of
a so-called cryptographically-secure pseudo-random
number generator (aka CSPRNG). As many
programmers know, pseudo-random generator (as found
in the standard library of most programming languages,
such as Cs rand()) are algorithms that generate a
repeatable sequence of numbers that are random
looking; there are several way to measure how random a
sequence is, but the important property that differentiate
PRNG from CSPRNG is not really concerned with
randomness per-se, but rather with how easy is to predict
the next number just by looking at the previous ones.
 This is important in the OTP context because obviously
an attacker might get to know the previous numbers
generated by the system (eg. through a key-logger
installed on users computer), so it is paramount to make
sure that he cannot exploit this knowledge to generate the
next number (Bajo, 2011).
PKI (Lawton, 2015).
#3 Remote Workers: Strong Password Policy (Administrative Controls)
(Kepczyk, 2015).
Secure Devices: Any device that contains firm and client
data needs to be physically or digitally secured. On-
premise file servers need to be in a locked room/cage and
the office should have a security system. Mobile devices
need to be locked when not in use and any data drives
encrypted (Kepczyk, 2015).
Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
PKI (Lawton, 2015).
#4 Off-Site Backup: Set up policy for encrypting backup data. Firms should
encrypt any backup media that leaves the office and also
validate that the backup is complete and usable. Firms
should regularly review backup logs for completion and
restore files randomly to ensure they will actually work
when needed (Kepczyk, 2015).
#5 Outer Firewall: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches: Compare firewall,
router, and switch configuration against standard secure
configurations defined for each type of network device in
use. Network devices should be managed using two-
factor authentication and encrypted sessions. The
network infrastructure should be managed across
network connections that are separated from the business
use of that network, relying on separate VLANs or,
preferably, on entirely different physical connectivity for
management sessions for network devices (UC Irvine,
2017).
Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
#6 Web Servers: Organizations apply configuration management (CM)
for establishing baselines and for tracking, controlling,
and managing many aspects of business development and
operation (e.g., products, services, manufacturing,
business processes, and information technology).
Organizations with a robust and effective CM process
need to consider information security implications with
respect to the development and operation of information
 systems including hardware, software, applications, and
documentation. Effective CM of information systems
requires the integration of the management of secure
configurations into the organizational CM process or
processes. For this reason, this document assumes that
information security is an integral part of an
organizations overall CM process; however, the focus of
this document is on implementation of the information
system security aspects of CM, and as such the term
security-focused configuration management (SecCM) is
used to emphasize the concentration on information
security. Though both IT business application functions
and security-focused practices are expected to be
integrated as a single process, SecCM in this context is
defined as the management and control of configurations
for information systems to enable security and facilitate
the management of information security risk (Johnson,
Dempsey, Ross, & Gup, 2011).
Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
The Kerberos Key Distribution Center (KDC) is a
network service that supplies session tickets and
temporary session keys to users and computers within an
Active Directory domain. The KDC runs on each domain
controller as part of Active Directory Domain Services
(AD DS) (Microsoft, 2007). Kerberos is a trusted third-
party service. That means that there is a third party (the
Kerberos server) that is trusted by all the entities on the
network (users and services, usually called "principals")
(Ubuntu, 2012). These four locations were selected due
to the fact that they deal with users/servers within the
companys domain.
#7 VPN: Advanced Encryption Standard (AES) in January
1997: NIST call for algorithms to replace DES. Block
cipher: 128-bit blocks, 128/192/256-bit keys. Strength
3 DES, much more efficient. Standard FIPS-197
approved by NIST in November 2001. Official scope
was limited: US Federal Administration used AES as
Government standard from 26 May 2002. Documents
that are sensitive but not classified. 2003: NSA has
approved AES-128 also for secret information, and AES
with key sizes larger than 128 for top secret information.
Significance is huge: AES is the successor of DES.
Major factors for quick acceptance: No royalties, High
quality, Low resource consumption (Hamilton, UNK).
Symmetric-key Authentication (InfoSec, 2017).
 OTPs (one-time passwords) (Bajo, 2011).
PKI (Lawton, 2015).
#8 Inner Firewall: Secure Configurations (UC Irvine, 2017).
Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
#9 User and Provider Data: Encrypting backup (Kepczyk, 2015).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
#10 Corporate LAN: Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
PKI (Lawton, 2015).
#11 Wireless Access Pont: Wireless Device Control is utilized to protect restricted
information from being transmitted over unencrypted
wireless or through unauthorized access points: Encrypt
wireless traffic. Ensure that all wireless access points are
manageable using enterprise management tools. Do not
install access points without local network engineer and
security input. Congure scanning tools to detect
wireless access points (UC Irvine , 2017).
Symmetric-key Authentication (InfoSec, 2017).
OTPs (one-time passwords) (Bajo, 2011).
PKI (Lawton, 2015).
#12 Corporate Data: Encrypting backup (Kepczyk, 2015).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
Table 2
Interfaces
#13 Customers to Outer Firewall: AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
The Digital Signature Algorithm (DSA) can be used by
the recipient of a message to verify that the message has
not been altered during transit as well as ascertain the
originators identity. A digital signature is an electronic
version of a written signature in that the digital signature
can be used in proving to the recipient or a third party
that the message was, in fact, signed by the originator.
Digital signatures may also be generated for stored data
and programs so that the integrity of the data and
programs may be verified at any later time. The DSA is
used by a signatory to generate a digital signature on data
and by a verifier to verify the authenticity of the
signature. Each signatory has a public and private key.
The private key is used in the signature generation
process and the public key is used in the signature

#14 Providers to Outer Firewall:
#15 Remote Workers to VPN:
#16 Outer Firewall to Web Servers:
#17 Web Servers to Inner Firewall:
#18 VPN to Inner Firewall:
#19 Inner Firewall to Corporate LAN:
verification process. For both signature generation and
verification, the data (which is referred to as a message)
is reduced by means of the Secure Hash Algorithm
(SHA) specified in FIPS 180-1. An adversary, who does
not know the private key of the signatory, cannot
generate the correct signature of the signatory. In other
words, signatures cannot be forged. However, by using
the signatorys public key, anyone can verify a correctly
signed message (VOCAL Technologies, Ltd., 2017).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
PKI (Lawton, 2015).
AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
PKI (Lawton, 2015).
#20 Inner Firewall to User and Provider Data: AES (Hamilton, UNK).
Secure Configurations (UC Irvine, 2017).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
#21 Corporate LAN to User and Provider Data: AES (Hamilton, UNK).
Configuration Management (Johnson, Dempsey, Ross,
& Gup, 2011).
Kerberos Key Distribution Center (KDC) (Microsoft,
2007), (Ubuntu, 2012).
#22 Wireless Access Point to Corporate LAN: AES (Hamilton, UNK).
Wireless Device Control (UC Irvine , 2017).
Digital Signature Algorithm (DSA) (VOCAL
Technologies, Ltd., 2017).
PKI (Lawton, 2015).
#23 Corporate LAN to Corporate Data: AES (Hamilton, UNK).
Configuration Management (Johnson, Dempsey, Ross,
& Gup, 2011).
Figure 2.

Conclusion
In order for a company to excel in its cyber security program there are many elements
that need to be covered. One such element is that of cryptography. This report laid out all the
different moving pieces and ideals to cryptography. The other aspects are that of policies a
company creates to help support their cyber security program. For our company I think some of
the things that need to be focused on are ideals like training. It is important for a company to
make sure everyone they employ is properly trained so that they do not inadvertently release
information to the wrong people or allow information to be stolen from servers.
As a health insurance company it is vital that we stay in compliance with all laws
especially those regarding patient information. It is imperative that we not allow information
belonging to patients, providers, or other customers to be leaked or stolen off servers.
 References
Bajo, G. (2011). The algorithms behind OTP tokens. Retrieved from Giovanni Bajo's swapfile:
http://giovanni.bajo.it/post/47121329280/the-algorithms-behind-otp-tokens
Hamilton, G. (UNK). CA642: CRYPTOGRAPHY AND NUMBER THEORY. Retrieved 2017,
from Computing.DCU.IE:
http://www.computing.dcu.ie/~hamilton/teaching/CA642/notes/Block.pdf
Health IT. (2016). Health IT Legislation and Regulations. Retrieved from Health IT:
https://www.healthit.gov/policy-researchers-implementers/health-it-legislation
Indiana University. (2016). How do I set up SSH public-key authentication to connect to a
remote system? Retrieved from Indiana University - Knowledge Base:
https://kb.iu.edu/d/aews
InfoSec. (2017). e-Authentication . Retrieved from InfoSec:
https://www.infosec.gov.hk/english/itpro/e_auth_method.html
Johnson, A., Dempsey, K., Ross, R., & Gup, S. (2011, AUG). Guide for Security-Focused
Configuration Management of Information Systems. Retrieved from NIST:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf
Kepczyk, R. H. (2015, JUL 07). Top 20 Cybersecurity Checklist . Retrieved from AICPA:
https://www.aicpa.org/interestareas/privatecompaniespracticesection/qualityservicesdeliv
ery/informationtechnology/pages/cybersecurity-checklist.aspx
Lawton, S. (2015, MAR 17). Introduction To Public Key Infrastructure (PKI). Retrieved from
Tom's IT Pro: http://www.tomsitpro.com/articles/public-key-infrastructure-
introduction,2-884.html
Microsoft. (2007, NOV 30). Kerberos Key Distribution Center. Retrieved from Microsoft -
Windows Server: https://technet.microsoft.com/en-us/library/cc734104(v=ws.10).aspx
Rouse, M. (2010, NOV). Hash-based Message Authentication Code (HMAC). Retrieved from
TechTarget: http://searchsecurity.techtarget.com/definition/Hash-based-Message-
Authentication-Code-HMAC
U.S. Department of Health and Human Services. (2015). The HIPAA Privacy Rule. Retrieved
from U.S. Department of Health and Human Services: https://www.hhs.gov/hipaa/for-
professionals/privacy/index.html
U.S. Department of Health and Human Services. (2017). The Privacy Act. Retrieved from U.S.
Department of Health and Human Services: https://www.hhs.gov/foia/privacy/index.html
Ubuntu. (2012). MIT Kerberos key server (KDC). Retrieved from Ubuntu:
https://apps.ubuntu.com/cat/applications/saucy/krb5-kdc/
UC Irvine . (2017). Information Security and Privacy. Retrieved from UCI:
https://security.uci.edu/security-plan/plan-control7.html
UC Irvine. (2017). Security Control 10: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches. Retrieved from UC Irvine Information Security and
Privacy: https://security.uci.edu/security-plan/plan-control10.html
VOCAL Technologies, Ltd. (2017). DSA Digital Signature Algorithm. Retrieved from VoCal:
https://www.vocal.com/cryptography/dsa-digital-signature-algorithm/